chapter 2 l.
Skip this Video
Loading SlideShow in 5 Seconds..
Chapter 2 PowerPoint Presentation
Download Presentation
Chapter 2

Loading in 2 Seconds...

play fullscreen
1 / 42

Chapter 2 - PowerPoint PPT Presentation

  • Uploaded on

Chapter 2. Scanning. Last modified 1-23-09. Determining If The System Is Alive . Summary Ping Sweeps Fping Nmap SuperScan Ping Sweep from SolarWinds Hping2 Icmpenum Countermeasures ICMP Queries. Determining If The System Is Alive . Network Ping Sweeps

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Chapter 2' - nitara

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
chapter 2

Chapter 2


Last modified 1-23-09

determining if the system is alive
Determining If The System Is Alive
  • Summary
    • Ping Sweeps
      • Fping
      • Nmap
      • SuperScan
      • Ping Sweep from SolarWinds
      • Hping2
      • Icmpenum
    • Countermeasures
    • ICMP Queries
determining if the system is alive3
Determining If The System Is Alive
  • Network Ping Sweeps
    • Ping is traditionally used to send ICMP ECHO (Type 8) packets to a target system
    • Response is ICMP ECHO_REPLY (Type 0) indicating the target system is alive
  • fping is a fast PING scanner, because it doesn't wait for a response from one system before moving on to the next one
    • Available for Linux and Windows
      • Link Ch 2b for Windows version (seems slower)
ping sweep with nmap
Ping Sweep With Nmap
  • Use the –sP option
  • Does PING scanning, using several types of ICMP packets
  • Also does port scanning, banner grabbing, whois, and enumeration
superscan enumeration
Superscan Enumeration
  • To run SuperScan, you need Win 2000 or Win XP before SP 2
  • Great tool
    • Link Ch 2c
icmp packet types
ICMP Packet Types
  • Message Type: 0 - Echo Reply
  • Message Type: 3 - Destination Unreachable
  • Message Type: 4 - Source Quench
  • Message Type: 5 - Redirect
  • Message Type: 8 - Echo
  • Message Type: 11 - Time Exceeded
  • Message Type: 12 - Parameter Problem
  • Message Type: 13 - Timestamp
  • Message Type: 14 - Timestamp Reply
  • Message Type: 15 - Information Request
  • Message Type: 16 - Information Reply
ping sweep from solarwinds
Ping Sweep from SolarWinds
  • Scans really fast, which can saturate a network
  • Commercial tool, but there's a 30-day trial available
    • Ch 2d
  • Unix utility that sends the traditional ICMP ECHO packets as well as
    • ICMP INFO requests
  • Similar to SuperScan
icmp blocking
ICMP Blocking
  • ICMP is often blocked these days
    • Blocked by default in Win XP SP2, Win 2003 SP 1, and Vista
  • If ICMP is blocked, use port scanning
    • Slower than ping sweeping
      • SuperScan for Win 2000 or XP without SP2
      • Nmap for Linux, Unix, or Windows
      • Hping2 for Unix (can fragment packets)
  • TCP Ping Scan uses TCP ACK packets instead of ICMP
  • Zenmap GUI runs on Vista (as Administrator) – very pretty
  • Use –PT 80 to get through many firewalls
    • Link Ch 2i
other ports to use
Other Ports to Use
  • Email ports
    • SMTP (25)
    • POP (110)
    • IMAP (143)
  • AUTH (113)
    • IDENT service – determines remote user of a network connection (link Ch 2g)
ping sweeps countermeasures
Ping Sweeps Countermeasures
  • Detecting Ping Sweeps
    • Network-based Intrusion Detection Systems like Snort detect ping sweeps
    • Ping scans will be in the host logs
    • Firewalls can detect ping scans
ping sweep detection tools
Ping Sweep Detection Tools
  • For Unix
    • Scanlogd, Courtney, Ippl, Protolog
  • For Windows
    • Snort could be used (link Ch 2z9)
blocking icmp
Blocking ICMP
  • Routers may require some ICMP packets, but not all types
  • Safest procedure would be to allow ICMP only from your ISP, and only to public servers on your DMZ
other icmp threats
Other ICMP Threats
  • ICMP can be used for a Denial of Service attack
  • ICMP can be used as a covert channel with Loki
    • Allowing unauthorized data transfer
    • Such as control signals for a back-door trojan
    • Links Ch 2l, Ch 2m
icmp queries
ICMP Queries
  • icmpquery uses ICMP type 13 (TIMESTAMP) to find the system time, which shows its timezone
  • ICMP type 17 (ADDRESS MASK REQUEST) shows the subnet mask
    • Link Ch 2n
determining which services are running or listening
Determining Which Services Are Running Or Listening
  • Summary
    • Port Scanning
    • Scan Types
    • Identifying TCP and UDP Services Running
    • Windows-Based Port Scanners
    • Port Scanning Breakdown
port scan types
Port Scan Types
  • We covered these ones in CNIT 123
    • TCP Connect scan
    • TCP SYN scan
    • TCP FIN scan
    • TCP Xmas Tree scan (FIN, URG, and PUSH)
    • TCP Null scan
    • TCP ACK scan
    • UDP scan
tcp header
TCP Header
  • WINDOW indicates the amount of data that may be sent before an acknowledgement is required
tcp window scan
TCP Window Scan
  • Sends ACK packets
    • Both open and closed ports reply with RST packets
    • But on some operating systems, the WINDOW size in the TCP header is non-zero for open ports, because the listening service does sometimes send data
    • Link Ch 2x
rpc scan
RPC Scan
  • SunRPC (Sun Remote Procedure Call) is a common UNIX protocol used to implement many services including NFS (Network File System)
  • The RPC scan works on Unix systems, including Solaris
  • Enumerates RPC services, which are rich in exploitable security holes
    • See link Ch 2y
  • Interesting options

-f fragments packets

-D Launches decoy scans for concealment

-I IDENT Scan – finds owners of processes

(on Unix systems)

-b FTP Bounce (see next slide)

ftp bounce
FTP Bounce


1. Transfer attack code to FTP server

2. Request file transfer to target


FTP Server

ftp bounce26
FTP Bounce
  • Old FTP servers allowed a request for a file transfer to a third IP address
  • This could be used to send email or other data to the third computer from the FTP server
nmap book out
Nmap Book Out
  • Available from Amazon
  • Highly Recommended
older port scanning tools
Older Port Scanning Tools
  • strobe – fast TCP scanner
  • udp_scan – UDP scanner
  • netcat – can do port scanning
amap not in book
Amap (not in book)
  • Application scanner – finds applications even if they are running on unusual ports
  • Steps to use amap:
    • Create a folder C:\amap
    • Download amap from link Ch 2h & extract it there
amap not in book30
Amap (not in book)
  • Run an nmap scan with this option, to save the output file:

–oM c:\amap\filename.nmap

  • At Command Prompt in C:\amap

amap –bqv –i hackebank.nmap

windows based port scanners
Windows-Based Port Scanners
  • SuperScan
    • Four different ICMP host-discovery techniques
    • Accurate UDP scan sending "nudge strings"
    • Banner grabbing
    • Many other tools
  • Nmap with the Zenmap GUI
    • Powerful, runs on Vista
popular scanning tools and features
Popular Scanning Tools and Features
  • Add Nmap with Zenmap in the Windows group
port scanning countermeasures
Port Scanning Countermeasures
  • Snort ( is a great free IDS (Intrusion Detection System)
    • [**] spp_portscan: PORTSCAN DETECTED from [**] 05/22-18:48:53.681227 [**] spp_portscan: portscan status from 4 connections across 1 hosts: TCP(0), UDP(4) [**] 05/22-18:49:14.180505 [**] spp_portscan: End of portscan from [**] 05/22-18:49:34.180236
other detection tools
Other Detection Tools
  • Scanlogd
    • Detects TCP Port Scans on Unix
  • Firewalls can detect port scans
    • Use threshold logging to limit the volume of email alerts sent by your firewall
    • That groups similar alerts into a single email
preventing port scans
Preventing Port Scans
  • You can't stop the scans from coming in, but you can mimimize your attack surface
  • Disable unnecessary services
detecting the operating system
Detecting the Operating System
  • Banner-Grabbing
    • Many services announce what they are in response to requests
    • Banner grabbers just collect those banners
    • But they could be spoofed
active stack fingerprinting
Active Stack Fingerprinting
  • Details of the TCP Packets are used to identify the operating system
  • Nmap does this, using these probes:
    • FIN probe
    • Bogus Flag probe
    • Initial Sequence Number (ISN) sampling
    • "Don't fragment bit" monitoring
    • TCP initial window size
      • And many others
operating system detection countermeasures
Operating System Detection Countermeasures
  • IDS can detect operating system detection scans
  • Hacking the OS to change its TCP stack is dangerous, and not recommended
  • Best policy: Accept that your firewalls and proxy servers will be scanned and fingerprinted, and harden them against attackers who know the OS
passive operating system identification
Passive Operating System Identification
  • Sniff traffic and guess the OS from that
  • Examine these features
    • TTL (time-to-live)
    • Window size
    • DF (Don't fragment bit)
  • siphon was the first tool to do this, it's out of date
  • p0f is a newer one (link Ch 2z6)
p0f on vista
p0f on Vista
  • Run p0f in a Command Prompt Window
  • Open a Web page
  • It fingerprints any OS it can see on the LAN
automated discovery tool cheops ng
Automated Discovery Tool: Cheops-ng
  • Combines Ping, Traceroute, Port Scans, and OS Detection to draw a network map
    • Link Ch 2z7
  • Vista's "Network Map" is worth a look